IT Security and Privacy Meyer Eddie Scott Wibbenmeyer Chanchart Chanthanan Zhijing Fang ZongJun Zhu 1 IT Security Information security is the process of protecting information systems and data from unauthorized access, use, disclosure, destruction, modification, or disruption. Information security is concerned with the confidentiality, integrity, and availability of data regardless of the form the data may take: electronic, print, or other forms. 2 http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007 Overview Why is it important? Role of CSO Costs of IT Security Security Threats Practices to mitigate threats Case Study Case Study 3 Why is IT Security Important? “Security breaches are as common in today’s business landscape as bad coffee and briefcases.” Computer systems are vulnerable to many threats that can inflict various types of damage resulting in significant losses. This damage can range from errors harming database integrity to fires destroying entire computer centers. An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology. U.S. Department of Commerce Special Publication 800-12 http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April 2, 2008 4 Why is IT Security Important? 46% of Respondents said that their organization had experienced a security incident in 2007 5 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. Trends in Information Security Breaches 6 Trends in Information Security Breaches Security is increasing as a top management concern. Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, 7 pp 81-99 Trends in Information Security Breaches The percentage of companies with a written security policy has increased from 47% in 2004 to 62% in 2006. 8 http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN ?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008 Trends in Information Security Breaches Figure 2. Security breaches are getting more serious. Severity Level of Security Breaches 0-10 Scale of Severity http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOS KH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008 9 Role of Chief Security Officer 10 CSO Chief Security Officer (CSO) is a corporation's top executive who is responsible for security. The CSO serves as the business leader responsible for the development, implementation and management of the organization’s corporate security vision, strategy and programs. They direct staff in identifying, developing, implementing and maintaining security processes across the organization to reduce risks, respond to incidents, and limit exposure to liability in all areas of financial, physical, and personal risk; establish appropriate standards and risk controls associated with intellectual property; and direct the establishment and implementation of policies and procedures related to data security. http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008 11 Background of CSO Most CSOs have an IT Background (63%) Others: (37%) Corporate Security Military Law Enforcement Business Operations Audit 12 Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. Role of CSO Oversee a network of security directors and vendors who safeguard the companies assets, intellectual property, and computer systems, along with the physical safety of employees and visitors Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/cso_interchange_logo.gif&imgrefurl=http: //www.csointerchange.org/bios/bios-chicago-05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sHYvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26hl%3Den, viewed April 10, 2008 13 Role of CSO (Cont’d) Identify protection goals, objectives, and metrics consistent with corporate strategic plans Manage the development and implementation of global security policy, standards, guidelines, and procedures to ensure ongoing maintenance of security Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. IT Security Costs Between 1995 and 2000 company spending on IT security increased 188% 15 IT Security Costs Average losses in 2007 were $345,000 per respondent 16 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. IT Security Costs The figure above shows the total losses as reported by the 2005 CSI/FBI Annual Computer Crime and Security Survey. 17 http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008 IT Security Costs Are Costs equalizing? 18 Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. IT Security Costs What is the SINGLE greatest obstacle to achieving adequate infosecurity at your organization?" Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to achieving adequate infosecurity at your organization?" 19 IT Security Threats Organizational (Individual) 20 Many types of threats exist. Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2006. PP 1-25. 21 21 Types of Attacks or Abuse 22 Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. PP 1-25. Who is Attacking? 23 http://www.esecurityplanet.com/, Viewed April 2, 2008 2 Types of threats that can affect both Individual and Organizational Security: 1.Natural Threats - Weather, Deterioration, Accidents, etc 2. Man Made Threats - Hacker, Spam, Phishing, Identity Theft, Terrorism 24 Natural Security Threats Weather Deterioration -Do you have backup data stored offsite? - Do you have a plan? Accidents 25 Man Made Security Threats Phishing Identity Theft Terrorism What do you have in place to prevent these things from happening? 26 Man Made Security Threats Phishing An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. 27 http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008 Risk of Phishing According to the Kaspersky Lab, 45% of the online activity requires users to disclose personal or financial data. The top online activities listed by home PC users that require the disclosure of personal information were banking(20%), shopping(15%), and travel booking(10%). http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008 28 Risk of Phishing Presently, the risk of phishing is attacking both business and personal transactions. The main purpose of phishing is to steal financial data. There were around 14,156 fake websites in 2006, increase from 1,713 in 2005. (The Sun) http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008 29 Risk of Phishing (Cont) According to the Sun poll as of 2007, a third of the internet users responded to the email they did not know. 15% thought a website was secure if it claimed to belong to a well know company but were unable to distinguish a secure website from the fake one. http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007, Viewed on Mar 3, 2008 30 Most Targeted Industry Sectors in December 2007 Financial service is the most targeted industry sector of all attacks record at 91.7%. http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4, 2008 Top 10 Phishing Sites Hosting Countries The United States is the 1st rank phishing sites hosting. http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4, 2008 Example of the phishing The real example happened to an UMSL email several recently. The UMSL email sever was attacked from the phishing email which claimed that it came from the Central Bank 33 Example of the phishing (Con’t) http://www.centralbank.net7idpersonalb anking-secure-survey-id58274.28secure.net.jikao.com.tw/.https:/ /www.centralbank.net/ 34 Some Tips to avoid risk of phishing Do not complete a form in an e-mail message that ask you for personal information Enter personal information only at the secure website (https) Avoid clicking the link in the e-mail message Never type PIN or secret data via e-mail 35 Man Made Security Threats Identity Theft Crimes involving illegal usage of another individual's identity. The most common form of identity theft is credit card fraud. While the term is relatively new, the practice of stealing money or getting other benefits by pretending to be a different person is thousands of years old. 36 http://en.wikipedia.org/wiki/Identity_Theft, Viewed April 2, 2008 Types/ Cost of Identity theft Crimes involving illegal usage of another individual's identity Types: Financial Identity Theft (using another's identity to obtain goods and services) Criminal Identity Theft (posing as another when apprehended for a crime) Identity Cloning (using another's information to assume his or her identity in daily life) Business/Commercial Identity Theft (using another's business name to obtain credit) 37 “Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32. 38 Man Made Security Threats Terrorism Those acts which are intended to create fear (terror), are perpetrated for an ideological goal and by a member or members of a group (as opposed to being carried out in a lone attack), and which deliberately target, or else disregard the safety of, noncombatants (civilians). 39 http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008 Threat Assessment You can look at threat assessment two ways: Qualitative – an “educated best guess” based on opinions of knowledgeable others gained through interviews, history, tests, and personal experience Quantitative – uses statistical sampling based on mathematical computations determining the probability of an occurrence based on historical data Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. 40 Security Audits were 63% useful in evaluating the effectiveness of security technology 41 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. Insurance Policies 42 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. Practices to Mitigate Threats Biometric Security Intrusion Prevention System 43 Biometric Security Use computerized method to identify a person by their unique physical or behavioral characteristics Provide extremely accurate and secure access to information 44 http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News. March 4, 2008. http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4, 2008. Example of Biometric Fingerprint Identification – the process of automatically matching one or unknown fingerprint against a database of know and unknown pattern Iris Scan - provide an analysis of the rings, furrows, and freckles in the colored ring which surrounds the pupil of the eye http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10 http://en.wikipedia.org/wiki/Biometric 45 Intrusion Prevention System Next Generation Firewall It is a computer security device that monitors network and system activities for malicious or unwanted behavior and can react in real-time 46 http://en.wikipedia.org/wiki/Intrusion_Prevention_System Washington Mutual Phishing Case 47 Washington Mutual Overview Founded in 1889 Retailer of financial services Mortgage Lending Commercial Banking Other Financial Services CIO - Debora D. Horvath Prior to joining WaMu, she served as senior vice president and CIO for Richmond, Virginia-based GE Insurance. There, she led a global information technology organization with a $500 million budget. Assets of 333.62 billion More than 2,400 Retail Banking http://www.wamu.com/business/default.asp, viewed April 11th, 2008 Source:http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008 48 Phishing trip: Washington Mutual http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008 49 Current Practice of Online Banking Security Washington Mutual further protects its online users with multi-factor authentication solution http://www.wamu.com/business/default.asp 50 RSA Cyota Consumer Solutions RSA Cyota Consumer Solutions, a division of RSA Security Inc., offers proven solutions for online banking and e-commerce that range from adaptive Authentication – with risk-based technology, one-timepasswords and transaction-signing – to anti-Phishing services and real-time transaction monitoring that controls fraud and manages risk. The company’s eFraudNetwork™ community is the world’s most effective cross-bank collaborative online fraud network. Today, many of the world’s top 50 banks, including nine of the top 12 banks in North America and the UK, use RSA Cyota solutions to protect approximately 430 million consumers. http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/ 51 Authentication "Washington Mutual is once again taking a proactive approach to protecting our customers by securing their accounts and personal information with superior, flexible, cutting-edge technology. By doing so, Washington Mutual customers will continue to benefit from the convenience and ease of online banking with the utmost confidence," said Dave Cullinane, chief information security officer at Washington Mutual and International President of the Information Systems Security Association. Washington Mutual’s enhanced security will analyze every online login and transaction behind the scenes and score the potential risk based on a broad range of criteria, including the user’s IP address, geographic location, prior transaction behaviors and much more. When a potential risky situation is detected, it can invoke additional authentication methods in real-time. In addition, because online fraud crosses international boundaries, WaMu is further protecting its customers by joining a real-time world-wide fraud detection network. http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/ 52 Case Study: What is Ameren? 53 Company Overview Provide energy to approximately 2.4 million electric customers and nearly 1 million gas customers in IL and MO. Ameren created via mergers. Union Electric (UE) Central IL Public Service Co. (CIPSCO) Central IL Light Co. (CILCO) Illinois Power (IP) Headquarters in St. Louis, MO 9,000 employees http://www.ameren.com/AboutUs/ADC_AU_FactSheet.pdf, viewed March 28, 2008 54 Ameren Organizational Chart CEO Ameren Other CEO’s CEO Ameren Services Other VP’s Sr. VP Admin VP Info Technology Manager IT Security and Planning Other Directors and Managers Managing Supv IT Security & Plan Supv IT Financial Planning Supv IT Infrastructure Account Consultants IT Security Analyst, Architects, Engineers http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20, 2008 55 Security IT Background 530 IT employees 5 Full time employees for information security. IT security budget is 1% of annual IT Budget 600K O&M 400K Capital 1 manager type, 6 supervisors, 3 account consultants 30 technical architects, engineers, analyst. Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008 http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20, 2008 56 56 Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008 57 57 Top Security Risk 1. 2. 3. 4. 5. Data loss (Customer and Corporate) – Image Viruses External Attacks (firewall attacks) Internal Attacks (email virus, spam, bots) Phishing – Social Engineering Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008 58 IT Security Technologies Access Control Systems Physical Security Enterprise Security Management System Card readers limiting access to hardware rooms and security personnel. Data Security Access Policy Network Access Control Software Limiting access to software and networks on an as needed bases. Disabling Blue tooth capabilities on Ameren equipment (i.e. cell phones) Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008 59 59 IT Security Technologies Firewalls Intrusion Detection System (IDS) Over 1 million attacks against firewall a year 24 hr personnel monitoring of Firewall 6000 firewall rules Monitors IP address of attack Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008 60 60 IT Security Technologies Two Factor Authentication – Tokens & Passwords Anti-Virus Software RSA SecurID Token Symantec Email is evaluated by Symantec off-site Network Pattern Software Monitors usage patterns of network Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008 61 61 IT Security Technologies Anti-Spam Software Frontbridge – relay service Personnel updating trigger points. Over 4.3 million spam emails blocked a day Policies Remote Access Internet Usage - Websense Equipment Procurement Communication Policy Disaster Recovery Policy Audit Policy Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008 62 62 Walk Away Today Safer - Quick Summary Protect your personal information. It's valuable. Don’t cut Security to save money. Use antivirus and personal firewall software and update both regularly. Be sure to set up your operating system, Network and Web browser software properly, and update them regularly. Protect your passwords. Back up important files. Learn who to contact if something goes wrong online. 63 ?? Questions ?? References http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007 An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology. U.S. Department of Commerce Special Publication 800-12 http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April 2, 2008 Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006, pp 81-99 http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSK H0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008 http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSK H0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008 http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008 Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/cso_interchange_logo.gif&img refurl=http://www.csointerchange.org/bios/bios-chicago05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sHYvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26h l%3Den, viewed April 10, 2008 Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82. http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008 Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to achieving adequate infosecurity at your organization?" Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. PP 1-25. http://www.esecurityplanet.com/, Viewed April 2, 2008 http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008 65 References (Continued) http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008 http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008 http://en.wikipedia.org/wiki/Identity_Theft, Viewed 4/02/2008 “Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32. http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008 Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003. Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security Institute. 2007. http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm http://en.wikipedia.org/wiki/Biometric, April 2, 2008 http://www.wamu.com/business/default.asp, viewed April 11th, 2008 :http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008 http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008 http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/ http://www.ameren.com/AboutUs/ADC_AU_FactSheet.pdf, viewed March 28, 2008 http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20, 2008 Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008 Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8, 2008 66 References (Continued) • • • • http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News. March 4, 2008. http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4, 2008. http://www.antiphishing.org, Phishing Activity Trends Report for 2007. Dec. 2007. Anti-Phishing Working Group (APWG). March 4, 2008. http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. 4 March 2008. http://en.wikipedia.org/wiki/Intrusion_Prevention_System, March 4 2008. http://www.security-int.com/categories/intrusion-prevention-systems/intrusion-prevention-systems.asp, Intrusion Prevention Systems on the Security Software Map. March 5, 2008.